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Finite field arithmetic logic is central in the implementation of some error-correcting 
coders and some cryptographic devices. There is a need for good multiplication algorithms 
which can be easily realized . Massey and Omura recently developed a new multiplication 
algorithm for finite fields based on a normal basis representation. Using the normal basis 
representation , the design of the finite field multiplier is simple and regular. The funda- 
mental design of the Massey -Omura multiplier is based on a design of a product function. 
In this article , a generalized algorithm to locate a normal basis in afield is first presented. 
Using this normal basis , an algorithm to construct the product function is then developed. 
This design does not depend on particular characteristics of the generator polynomial of 
the field. 


I. Introduction 

The finite field GF(2 m ) is a number system containing 2 m 
elements. Its attractiveness in practical applications stems 
from the fact that each element can be represented by m 
binary digits. The practical application of error-correcting 
codes makes considerable use of computation in GF(2 m ). 
Both the encoding and decoding devices for the important 
Reed-Solomon codes must perform computations in GF(2 m ) 
(Refs. 1, 2). The decoding device for the binary BCH codes 
also must perform computation in GF( 2 m ) (Refs. 1, 2). On 
the other hand, recent advances in secret communications, 
such as encryption and decryption of digital messages, also 
require the use of computation in GF( 2 m ) (Ref. 3). Hence, 
there is a need for good algorithms for doing multiplication 
in a finite field. 


Yeh, Reed and Truong (Ref. 4) presented a design for 
performing multiplication in GF(2 m ) which is suitable for 
VLSI implementation. In their design, the elements in the 
field are represented by a canonical basis {1, a, a 2 , a 3 , . . . , 
a" 1-1 } where a is a root of an irreducible polynomial of 
degree m over GF( 2). Some other previous work on multi- 
pliers in GF(2 m ) by Bartee and Schneider (Ref. 5), Gallager 
(Ref. 6), and Laws and Rushforth (Ref. 7) is also based on 
the canonical basis of GF{ 2 m ). However, these circuits are not 
as well suited for use in VLSI systems, due to irregular wire 
routing and complicated control problems as well as non- 
modular structure or lack of concurrency (Ref. 8). 

Recently, Massey and Omura (Ref. 9) invented a multi- 
plier which obtains the product of two elements in the finite 
field GF( 2 m ). In their invention, they utilize a normal basis 
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of the form {a, a 2 , a 4 , . . . , a 2 " 1 ' 1 } to represent elements of 
the field. In this basis, again, each element in the field GF(2 m ) 
can be represented by m binary digits. 

In the normal-basis representation the squaring of an 
element in GF(2 m ) is readily shown (Ref. 10) to be a simple 
cyclic shift of its binary digits. In the normal basis representa- 
tions, multiplication requires the same logic function for any 
one bit of the product as it does for any other (Ref. 10). The 
generation of adjacent product digits differs only in the inputs, 
which are cyclically shifted versions of one another, to this 
product function. Hence, designing a Massey-Omura multi- 
plier is exactly the same as designing a product function. In 
Ref. 10, a pipeline architecture suitable for VLSI design has 
been developed for a Massey-Omura multiplier of GF( 2 m ). 
In comparison with the multiplier designed in Ref. 4, the 
Massey-Omura multiplier is much simpler. 

In Ref. 10, the design of a Massey-Omura multiplier is 
based on a normal basis 


I 2 2 2 2 m ~ 1 

\a,a ,or , . . . , a 


0 ) 


which is the set of roots of an irreducible polynomial 


P(x) = x m + c x x m - 1 + . . . + c 


( 2 ) 


over GF(2 m ). 

In general, to verify the linear independence of the roots 
in Eq. (1) is difficult. A straightforward way to do this is to 
represent ot 2 \ i = 0, 1, . . . , m - 1, by w-dimensional vectors 
in canonical basis {1, a, a 2 , ... , <x m ~ 1 } and then to check 
whether the m X m matrix composed by the above m vectors 
is nonsingular. For large m, this method requires a great 
number of computations. Peterson and Weldon (Ref. 2) list 
a set of irreducible polynomials of degree m < 34 over GF( 2) 
for which the roots are linearly independent. 

For the case of m- 2”, Perlis (Ref. 11) has shown that a 
necessary and sufficient condition for the above set (Eq. [1]) 
to be a normal basis of GF(2 m ) is the trace of a obeying the 
relation 


m - 1 


7>(a) = a + or + cr + ■ • • + a 2 = 1 


given a formula to compute the number of elements which 
can generate a normal basis in GF(2 m ). Wah and Wang (Refs. 
14, 16) have shown that the so-called all-one-polynomial of 
degree m is irreducible and its roots constitute a normal basis 
if and only if m + 1 is a prime and 2 is primitive mod (m + 1). 
Pei, Wang and Omura (Ref. 15) have also presented necessary 
and sufficient conditions for an element to generate a normal 
basis in the field GF{ 2 m ) for the case that m = 2 k p n where p 
is an odd prime, A: is a non-negative integer, n is a positive 
integer and p n has 2 as one of its primitive roots. These condi- 
tions can be used to find a normal basis in GF{ 2 m ), if m is 
of the given form. Using this normal basis as the roots, one 
can construct an irreducible polynomial of degree m and, 
therefore, use the algorithm described in Ref. 10 to design 
the Massey-Omura multiplier. 


In this article, a new algorithm to locate a normal basis 
in any field GF( 2 m ) is presented. In this algorithm, a special 
m X m matrix needs to be set up and its nonsingularity needs 
to be verified. For large m , this algorithm also seems to be 
very time consuming. However, due to some special properties 
of this matrix, the matrix set up procedure only requires m, 
rather than m X m entry computations, and, the verification 
of the nonsingularity can be based on some quick check rules, 
resulting in a saving of a tremendous amount of computation 
time. Using this normal basis, a methodology to construct 
the product function of the Massey-Omura multiplier is also 
developed in this article. This approach uses the concept of 
dual basis. It is shown that the coefficients of the product 
function are the trace values of some particular elements in 
GF{2 m ). These particular elements can be computed by the 
normal basis used and its dual basis. Hence, the design of a 
Massey-Omura multiplier can be based on any arbitrary 
normal basis in GF{ 2 m ) which need not be the roots of the 
generator polynomial. 


II. Dual Basis Approach of Designing 
Massey-Omura Finite Field Multiplier 

Two bases (c^ , & 2 , . . . , a m ) and . . . ,j3 m ) are said 

to be dual, or complementary, if 


*> (“<*,) = 5 i; 


0 for i ¥=j 

1 for i = /' 


(3) 


or, equivalently, the coefficient c 1 in Eq. (2) is 1. He also 
gave necessary and sufficient conditions for a normal basis of 
GF( 2 m ) when m = p n with prime p, Berlekamp (Ref. 12, 
p. 254), and Lidl and Niederreiter (Ref. 13, p. 124) have also 


Seven useful properties of a finite field GF(2 m ) are stated 
here without proof (for proofs see Refs. 1 and 16). These 
properties are as follows: 

(1) Trace is a linear operation over GF{ 2). 
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(2) For every ot G GF(2 m ) 


By property (4) 


7>(o 2 ) = [Tr(a )\ 2 = 7>(a) G GF(2) 

(3) 7>(1) = m mod 2 

(4) If {<*! , aj, .... <*„,} and 0 m } are two 

bases and dual to each other, for any x G GF(2 m ), 

m 

X = X) a i * °7 
1=1 

m 

= £ Tr{x • 0 ( .) • a. 

1 = 1 

(5) Every basis has a dual basis. 

(6) A normal basis exists in any field GF(2 m ). 

(7) The dual basis of a normal basis is also a normal basis. 


= 7>(co02 k ) 
= 7>(yz/3 2 ) 



1=1 ;=0 


Lemma 1 



where 

i = i mod m 


Suppose that {a, a 2 , a 22 . . , a 2 " 1 ' 1 } is a normal basis of Proof. The lemma follows from the fact that x 2m = x and 
field GF(2 m ), and {/}, 0 2 , 0 2 , . . . , 0 2 '”} is its dual basis. For Tr(x 2 ) = Tr(x) (Property 2) for any x G GF(2 m ). 

any two elements >> and z in GF(2 m ), they can be expressed as 

Theorem 2 


2 2 2 2 m ' 1 
^ = y 0 <x+y x * +y 2 <* 


m - 1 


- EV 


/=o 


2 2 2 2 m_1 
z = z Q a + ZjOT + z 2 a + -- +2 m _ 1 tt 


m-l 


- E 


e.ar 


1-0 


Let 


co = y • z 


2 2 2 2" 7 " 1 
= co Q a + co x a + co 2 or -i- . . . + a> ml a' 


m-l 


- E <-v» 2 


fc=0 


m-l m-l / , , 

-i = z •« 2 V) 


CO, 


1=0 7=0 


where 


>1 = nr 


Proof: From Eq. (4), 




Since 


m-l 

- E 

m-l , . 

E V/ 7 ^ 2 • 

1=0 

/=0 

m 

m / i 

- E 

E ^i Vi M* 2 

1=1 

7=1 

m 

m / 

- E 

E z /-i rr ' 

1-1 

/-i 


v' = y , and z' 

•'o m-l 0 


. y- : 


') 
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where 


co, 


m~l m-\ t .■ ,• 

,,-r e^k - 1 


m - 1 m-1 

E E 

i=o /=o 

Let / be a 2wt-dimensional function such that 


Vl = /O 0 .^. • • • >y m -! > z 0 ’ Z 1 Z m-l) 



m-1 

m-1 / 

A 

E 

E y i 2 i Tr \ 


1=0 

7=0 


m-1 

m-1 

= 

E 

E Wi 


i=0 

7=0 


where p if = 7>(a 2 ' • a 2/ * /3 2 '"' 1 ). Since O'',-} is the cyclically 


shifted version of {y,}, by Theorem 2, 

m-1 

m-1 , . 

E^;4» 2 ■ 

W m- 2 ~ 

i=0 

7=0 

m-1 

m-1 

-E 

E v) z ) 

7=0 

i= o 

= 

. v y v y v -^y m 

z 

m- 

■l-V Z 1 2 m-: 


Applying this technique repeatedly, one can obtain 


m- 1 m-1 

/ (j Q , ^ , . . . , \bpb v ... 9 b ml ) - ^ S P t y * ■ 

i=0 7=0 


with 


p iy = 


(5a) 

(5b) 


In Eq. (5), it is shown that the product components co f 
i = 0 , 1 , . . . , m - 1 , can be obtained by the same logic func- 
tion / operating on the cyclically shifted versions of the com- 
ponents of multiplicand and multiplier. This function/, the 
so-called product function, defines the Massey-Omura multi- 
plier (Refs. 9, 10 ). It is illustrated from Eqs. (5), (5a) and (5b) 
that the product function / only depends on the normal basis 
{a, a 2 , . . . , a 2 m_1 } used since 0 also depends on a and that 
its coefficients are the trace values of some elements in 
GF(2 m ). These elements can be computed by multiplying the 
components of the normal basis and the last component 
02 m_1 of its dual basis. Unlike the method described in Ref. 10, 
the construction of the product function / in this article is 
independent of the characteristic of the generating polynomial 
of GF(2 m ). Hence, this method gives an advantage that one 
can use any arbitrary irreducible polynomial of degree m to 
generate the field GF{ 2 m ). 


III. Properties of the Associated Boolean 
Matrix 

An equivalent way to represent the product function / of 
Eq. (5) is by means of a Boolean matrix 


H*-! = f(y 0 >y 1^2 y m -i> 


V V Z 2 Z m- 1 ) 

W m -2 = 

Z m-1’ Z 0’ Z l’ ' • ■ ’ z m- 2 ) 


Wj = f(y r y 3 ,. 

■■•■Vi-Wi 

Z . Z_ , . . 

' ’ Z m-1’ Z 0’ Z l) 

2 3’ 

co 0 = f(y v y v . 


z i- z 2--- 

• z m-i* z o) 


n = [p ,] m - 1 ( 6 ) 

1 1 , 7-0 

where 

p. f = Tr (a 2 • a 2 ’ • 0 2 *) ( 6 a) 

is the coefficient of ah. in Eq. (5a). 

Since to design a Massey-Omura multiplier is essentially to 
design a product function, the construction of the Boolean 
matrix ft in Eq. ( 6 ) becomes the central issue of the design. 
The following theorems show some properties of the Boolean 
matrix. 

Theorem 3. The matrix ft is symmetric, that is, p.. = p... 
Proof. This is obvious from the definition of p.. in Eq. ( 6 a). 
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Theorem 4 


P z7 


0, if i =£ m - 2 

1 , if / = m-2 


Proof 


p ff = 7>(a 3 • a 2 ‘ • & 2 ') 

- 7>(«’ W .« 3 ”“) 

5 /(m-2) 

| 0, if i ± m-2 
( 1 , if i - m-2 


(1) How can one find a normal basis in GF(2 m ) if the 
generating irreducible polynomial of this field does 
not provide linearly independent roots? 

(2) How can one find the dual basis of a normal basis in 
GF(2 m )l In the next section we will address these 
two issues. 


IV. Locating a Normal Basis in GF(2 m ) 

Suppose that {a, a 2 , a 4 , . . . , a 2 " 1-1 } is a normal basis 
in GF(2 m ). From properties (5) and (7) of section II, its dual 
basis {jS, p 2 , . . . , P 2 ™* 1 }, which is also normal, must exist 
in GF(2 m ). Since {0, p 2 , . . . , p 2 ™' 1 } is a basis of GF( 2 m \ 
element a can be expressed as 

~ ~m-\ 

a = a o 0 + a 1 /3 2 + ... + a m _ i 0 2 (7) 


Theorem 5 

0, / # m - 1 

1, / = m- 1 

Proof 


m - 1 


P« = 


1=0 


m - 1 

E 


1=0 


p // 





0, / =£ /w - 1 ; 

1, ; = m - 1 



where Oj € GF(2) for / = 0, 1 , . . . , m - 1 . By squaring Eq. (7) 
repeatedly and applying the property that P 2 ™ = P, one can 
write 


— — 


— 



— 


— — 

a 


*0 


fl 2 * • * 

A . 
m — 1 


(3 

a 2 


fl m-I 

a o 

flj • • • 

m —2 


0 2 

a 4 


a m -2 

“m-1 

a o * * ’ 

a m -3 


0 4 

• 

= 

• 

• 

* 

• 


• 

• 


• 

• 

• 

• 


• 

• 


• 

• 

• 

• 


• 

1 

a 



*2 

fl 3 * • * 

% 


02” 1 - 1 

— 


— 






— _ 


P 


From theorems 3 and 4, one can conclude that in the 
Boolean matrix f2 only the (m 2 - m)/2 entry values in the 
upper-right triangular portion must be computed, with the 
diagonal values being fixed. Theorem 5 shows that there are 
an odd number of l’s in the last row and last column, and, an 
even number of l’s in the remaining rows and columns. This 
gives a very simple check on the correctness of the Boolean 
matrix. 

Once the Boolean matrix is formed, the design of the 
Massey-Omura multiplier can proceed as described in Ref. 10. 
However, there are two important issues which must be 
addressed. 


*a 


0 2 

P 4 


(8) 


1 


Multiplying both sides of Eq. (8) by a row vector [a a 2 a 4 • ■ • 
a 2 ™ -1 ] , we have 
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v (2 m -' + l) 


v (2 m -' + 2) 


J2 m - 1 + 4) 


(2 m —1 +1) a (2 m -' + 2) a (2'"- 1 + 4) ... a 2 m 


a o a i 


a m- 1 °0 °l 


a m- 2 a m - 1 a 0 


m -1 


m -1 


m -3 


0a 

0a 2 

pa* 

—i 

0a 2 

0 2 a 

0 2 a 2 

P 2 a 4 • • ■ 

0 2 a 2 

0*a 

0 4 a 2 

P*a* • • • 

oA 2 m_1 

(Ter 

m-1 

0 2 

» 

• 

a P 2 a 2 

j£r a 4 • • • 

0 2 a 2 


( 9 ) 

Since the trace function is linear over GF{ 2), applying the 
trace function to both sides of Eq. (9) results in 


F = A • I = A 

where F is an m by m matrix with (/, / ) entry 


F U = Tr ( a2 ‘ • a2> ) 


for /, / = 0, 1 , 2, . . . , m - 1 . Notice that F depends only on 
a. Hence Eq. (8) can be written as 


r n 

a 



a 2 


0 2 

a 4 

= F(a) • 

0 4 

• 


* 

• 


• 

• 


* 

_m -1 


-m -1 

L a 


If 


( 12 ) 


Theorem 6. For a E GF( 2 m ), a, a 2 , a 4 , . . . , a 2 ™ 1 are 
linearly independent if and only if F (a) is invertible. 

Proof. Only the proof of the sufficient condition is neces- 
sary since the proof of the necessary condition is trivial and 
well known. If a, a 2 , a 4 , . . . , ot 2m ~ l are linearly depend- 
ent, there exist c\ s, i - 0, 1 , . . . , m - 1 in GF( 2) which are 
not all zeros such that 


m-i . 

£ c.a 2 = 0 

i=0 


Multiplying both sides by or for / = 0, 1 , . . . , m - 1 , 


m- 1 


c. a 

i 


2 l . _ 


or = 0 


1=0 


Taking the trace values on both sides, one has 

m-i / , v "*-i 

Z w ® 2 #c * 2 ) = E c /^/ = 0 


1=0 


for all / = 0, 1, 2, . . . , m - 1. Thus, F is not invertible and the 

(10) theorem is proved. 

From Eq. (12), if F is invertible, the dual basis {j3, /3 2 , 
. . . , P 2 ™' 1 } of the normal basis (a, a 2 , . . ., a^ 1 } can be 

(11) computed by 
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— 1 


a 

0 2 


a 2 

• 

II 

t 

• 

• 

~m - 1 


-m - 1 

l_0 2 J 


|_ a 2 J 


V. Construction of the Boolean Matrix 

Now, an algorithm to construct the Boolean matrix ft for 
the multiplication in GF(2 m ) can be developed. Starting 
with an arbitrary element a in GF( 2 m ) (for example, a root of 
the generating polynomial), one can set up the matrix F(a) 
as given by Eq. (1 1) and then check whether F(a) is invertible. 
If it is, {a, a 2 , . . . a 2 ™ -1 } is a normal basis; otherwise, repeat 
the process with another element a in GF( 2 m ) until the 
corresponding F(a) is invertible. The dual basis {0, 0 2 , 0 2 , 
. . . , 0 2m_1 }of (a, a 2 , a 2 , . . . , a 2 " 1-1 } then can be formed 
by Eq. (13). Finally, using Eq. (6) together with the Theo- 
rems 3 and 4 in Section III, we can construct the Boolean 
matrix ft. Figure 1 shows the flow chart of constructing the 
Boolean matrix ft for the multiplication in GF( 2 m ). 

In the procedure of Fig. 1, setting up the matrix F(a) 
seems to be very time consuming since it requires trace compu- 
tations for m 2 elements. However, it should be pointed out 
that, since 7V(a 2 ) = J>( a) and a 2 = a for any a in GF(2 m ), 
Fg y T-j-y (a) = F..(oc ) where J = / mod m. This implies that the 
(z + l)th row or column of F(a) is the cyclically shifted 
version of the z'th row or column. Hence, only the first row or 
column of F(a) must be computed. Appendix A illustrates a 
way to compute the trace value for any element in GF{ 2 m ). 

Traditionally, a Gaussian elimination algorithm can be used 
to verify whether F(a) is invertible or not. However, a few 
conditions for F(a) to be invertible can be checked before 
actually performing the Gaussian elimination algorithm, 


resulting in a saving of a significant amount of computation 
time. The following theorems describe these conditions. 

Theorem 7. If Tr(a) = 0, F(a) is not invertible. 

Proof. This is obvious because Tr(a) = 0 implies that 
{a, a 2 , a 4 , . . . , a 2 ™ -1 } are linearly dependent. 

Theorem 8. If Tr(a a 2 *) = 1 for all / = 0, 1, . . . , m - 1, 
F(a) is not invertible. 

Proof. Since FVq ^ (a) = F..(a), the condition of Tr(a a 2 *) 
= 1 for all z results in an all-one matrix F(a) which is not 
invertible. 

Theorem 9. If m is even and Tr(a) = 7>(a 2m/2 + 1), F(a) 
is not invertible. The following two lemmas are required to 
prove this theorem. 

Lemma 10. If the first row of matrix F(a) has an even 
number of l’s, F(a) is not invertible. 

Proof. Since the (z + l)th row of F(a) is the cyclically 
shifted version of the z'th row, this condition means that 
F(a) has an even number of l’s in all rows. Adding up all 
column vectors results in an all-zero vector. Hence F(a) is 
not invertible. 

Lemma 11. 7V(a 2/+ i)= Tr(a2 m ~ J +i) for 1 <f <m/2. 


Proof 





= Tr 


] - 2>(«’"«') 


= Tr\ 




Lemma 1 1 implies that the (/ + l)th element from the left of 
the first row vector of F(a) is equal to the ft h element from 
the right. Lemma 10 and Lemma 11 lead to the following 
two properties. 


(1) When m is odd, the first row vector of the matrix F(a) has the structure 


Tr(a) 


Tr 






Tr 




+ 1 


2nd (/ + 2)th ((m - l)/2 + l)th {{m + l)/2 + l)th ( m - /)th 


term 


term 


term 


equal 

equal 

equal 


term 

j 


term 


mth 

term 
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Therefore if the first element Tr(a 2 ) - 0, F (a) is not invertible. This is equivalent to the Theorem 7 since 7>(a) = 7>( a 2 ). 
(2) When m is even, the structure of the first row of F (a) becomes 

Tr(oc 2 ) Tr(a ll+l ) ... 7v(a 2(m/2 ~ 1)+1 ) 7>(< a 2 "^ 1 ) 

2nd (/ + 2)th (m/2)th (m/2 + l)th 

term term term term 

^ equal — 

equal — 

equal — 

This implies that if Tr(ct) = Tr(a 2m /2+1 ), F(a) is not invertible since there are an even number of l’s in the first row. 
Hence, Theorem 9 is proved. 




Tr 




{mil + 2)th 
term 

t 


(m - / )th m th 

term term 


VI. Example and Results 

This section gives an example of designing the Massey- 
Omura multiplier for GF( 2 7 ). Let P(x) = x 1 + x 3 + 1 be the 
generating polynomial of GF( 2 7 ). Suppose that 0 is a root of 
P(x). Note that the roots { 0 , 6 2 , 0 4 0 23 , 02 4 , 0 2$ , 02 6 }are 
not linearly independent. By Eq. (A-3), the trace values of the 
canonical basis, {7>(0O |i = 0, 1 , . . . ,6} are {1 ,0,0, 0,0, 0,0}. 

(1) Let ol ~ 6. By Theorem 7, F(a) is not invertible since 
7V(a) = 0. 

(2) Let a = 1 + 0. Then Tr(oc ocP) = 1 for all / = 0, 1, . . . , 
m - 1. By Theorem 8, F(a) is not invertible. 

(3) Let a = 0 2 . Tr(a) = 0 and F(a) is not invertible. 

(4) Let a = 1 + 0 2 . Tr(a a 2/ ) = 1 for all / = 0, . . . , m - 1. 
The matrix F(a) is not invertible. 

(5) Let a = 0 + 0 2 . 7>(a) = 0. The matrix F(a) is not 
invertible. 


(6) Let a = 1 + 0 + 0 2 . Tr(ct • aP) = 1 for all / = 0, . . . , 
m - 1. The matrix F(a) is not invertible. 


(7) Let a = 0 3 . Tr(a) = 0. The matrix F(a) is not invertible. 

(8) Let a = 1 + 0 3 . 


m = 


1 1 0 0 0 0 1 
1110 0 0 0 
0 1110 0 0 
0 0 1110 0 
0 0 0 1 1 1 0 
0 0 0 0 1 1 1 
1 0 0 0 0 1 1 


is invertible and its inverse is given by 


F-‘(a) = 


Hence {a, a 2 , . . 


110 110 1 
1110 110 
0 1110 11 
10 1110 1 
110 1110 
0 110 111 
10 110 11 


m -I 


ol 2 }is a normal basis 


(9) The dual basis {j3} of {a} is given by 


13 


a 

P 2 


a 2 

P 4 


a 4 

. 

= F- 1 (a) • 

• 

« 1 
* Sl 
1 


C*2 6 


Therefore 

= a. + a 2 + a 8 + a 16 + a 64 
= 1 + 0 + 0 3 + 0 6 
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(10) Finally, 


ft = [Tr{& 1 • • p m - X )]™J 0 


0 

1 

1 

1 

0 

0 

1 


1 

0 

1 

0 

0 

0 

0 


1 

1 

0 

1 

1 

1 

1 


10 0 1 
0 0 0 0 
1111 
0 0 11 
0 0 0 1 
10 11 
1110 


a saving of a great deal of time. Figure 5 illustrates the CPU 
time required to construct the Boolean matrix for GF(2 m ) 
on a VAX-1 1/750. The capital delta (A) in the figure indicates 
the actual time required by using a arbitrarily selected irreduci- 
ble polynomial of degree m. For example, the construction of 
the Boolean matrix for GF( 2 127 ) takes only 40 minutes. The 
solid line shows that the trend of the required time increases 
exponentially as m increases. For large m , the computation 
time is mainly for forming the Boolean matrix, while, for 
small m , the computation time is dominated by the pre- 
matrix computation including the initial program set up and 
the trace computations of canonical basis which is required 
for forming matrix F(a). The most vertical part of the line in 
Fig. 5 shows the transition between these two kinds of com- 
putation. 


Once the Boolean matrix is constructed, the product func- 
tion is defined. Then the implementation of the Massey -Omura 
multiplier of GF( 2 7 ) can be designed as described in Ref. 10. 
Figures 2^\ give Boolean matrices for m = 8, 17 and 30, 
respectively. Reference 16 also gives a Boolean matrix for 
m = 127. It should be pointed out that, in our experience of 
searching the Boolean matrix, the above-mentioned three 
quick ways as to verifying the invertibility of F(a) given in 
Theorems 7 through 9 are the primary verification rules that 
the procedure has gone through. In other words, our experi- 
ence indicates that, in the process of constructing the Boolean 
matrix shown in Fig. 1, the most time-consuming matrix 
inversion procedure in the Gaussian elimination method is 
unlikely to be needed to rule out the candidate a, resulting in 


VII. Conclusion 

Although for some Galois field GF( 2 m ) the roots of a 
generating polynomial can be easily verified to be linearly 
independent and then used as a normal basis, it is generally 
very difficult to locate a normal basis in a field. This makes 
the Massey-Omura multiplication less attractive since its 
design is based on a normal basis. A generalized algorithm to 
locate a normal basis of GF(2 m ) has been presented. Using 
this normal basis, an algorithm to construct a product func- 
tion has also been developed. After a product function is 
defined, the design of the Massey-Omura multiplier is straight- 
forward. 
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Fig. 1 . Algorithm of constructing the Boolean 
matrix for the multiplication in GF(2^) 
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Fig. 3. Boolean matrix for GF(2 17 ) 


Fig. 2. Boolean matrix for GF(2 8 ) 
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Fig. 5. CPU time required to construct Boolean matrix for GF (2™) 



Appendix A 

Trace Computation for GF( 2 m ) 


Although the trace value of an element 9 in GF( 2 m ) can 
be computed directly by its definition 

m-l . 

Tr(0) = £ e 2 

i-0 

this appendix provides a much simpler approach to compute 
the trace value. 

Let e be a root of the generating irreducible polynomial 
P(x ) of GF( 2 m ). For any element 9 of GF( 2 m ), 

6 = a 0 +a i e + a 2 e2+ ' +a m-i em ~ 1 
m -1 

= E ( A -n 

1=0 

Since trace is a linear operator in GF( 2 m ), 

W-I 

7V(tf) = E (A-2) 

i = 0 

Hence, our problem becomes how to find the trace values of 
the canonical basis {1, e, e 2 , ■ • • , e m ~ 1 } of GF(2 m ). The set 
of Newton formulae (Ref. A-l) demonstrates a very easy and 
quick way to accomplish it. 

Let the generating polynomial be 

P(Z) = X m + Cj X m ~ l + c 2 x m ~ 2 + • • • + C m _ J Z + c m 

and (e, e 2 , e 4 , * • • , e 2m1 } be the set of its roots. By Newton 

formulae, it can be shown that 


7>(1) = m mod 2 
7>(e) + Cj = 0 

7>(c 2 ) + c 1 7>(e) = 0 , 

7>(e ; ) + Cj Tr(ei~ x ) + ■ • • / 

+ 7>(e) + [/ mod 2] c. = 0 1 

• • • 1 
Tr(e m ~ 1 ) + c, 7>(e m-2 ) + • • • + c m _ 2 Tr(e ) I 

+ [(m -1) mod 2] c m _, =0 J 

(A-3) 

Therefore, the trace values of the canonical basis {1 , e, e 2 , ■ ■ ■ , 
€ m '~ 1 } can be easily computed. 

An interesting case is that when a trinomial is used to gen- 
erate a field GF(2 m ). References A-2, A-3, and A-4 give a list 
of trinomials which are irreducible for m < 1000. In this case, 
the way of computing the trace values of the canonical basis 
{1, e, e 2 , • • • , e" 1 ^ 1 } can be further simplified from Eq. (A-3) 
to the following: 

Suppose that P{X) = X m + X k + 1 . Let / = m - k. 

(1) 7>(1) = m mod 2. 

(2) When / is even, J^e 1 ) = 0 for 0 < / < m - 1. 

(3) When / is odd, for 0 < / < m - 1 , 

( 1 , if i = nj ( n is an integer) 

Trie 1 ) = J (A-4) 

( 0, otherwise 

Note that if P(X) is irreducible and m is even, k and j must be 
odd. 
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